Snare installation

An appropriate Solaris Distribution
Enterprise customers may download the SnareSolaris package from the Snare Secure Area at https://www.intersectalliance.com.
Solaris version 10 only: A Solaris installation does not normally activate the utilities necessary to activate the auditing subsystem. As such, it must be separately activated on the Solaris host, before the Snare agent will work in collecting and filtering events. The auditing subsystem may be activated using the '/etc/security/bsmconv' script.

Install Snare for Solaris package.

Logon as root user, i.e. at the command prompt enter the command /bin/su and enter the root password when prompted. Issue the command, as root as per your distribution: >pkgadd -d SnareSolaris-supp-4.0.0-i386-S11.pkg
This will install Snare for Solaris and restart the audit daemon (auditd).

Remove Snare for Solaris package (if required).

Query the database to ensure Snare is installed

>pkginfo -l SnareSolaris
Remove the Snare for Solaris package
>pkgrm SnareSolaris

Running Snare

To view the Snare Remote Control Interface enter the URL http://localhost:6161 or http://hostname:6161 where "hostname" is the DNS name or IP address of the target machine.
After installation the auditd daemon will be running. This daemon must be running if the events are to be passed to a remote host.

Restart the auditd daemon either:

By issuing the command: > svcadm restart system/auditd
Via the Remote Control Interface:
From the menu on the right hand side select Apply the Latest Audit Configuration to restart the daemon.

Audit configuration

The Snare configuration is stored as /etc/security/snare.conf. This file contains all the details required by Snare to configure the audit subsystem to successfully execute.
The configuration of /etc/security/snare.conf can be changed either:

directly

Care should be taken if manually editing the snare.conf configuration file to ensure that it conforms to the required format for the audit daemon. Also, any use of the Remote Control Interface to modify security objectives or selected events, may result in manual configuration file changes being overwritten. Details on the configuration file format can be viewed inConfiguration File Description. Failure to specify a correct configuration file will prevent Snare from running or may result in selected events not being able to be read.

or by modifying the objectives via the Remote Control Interface (recommended)

The Remote Control Interface is the most effective and simplest way to configure snare.conf and operates completely in memory, with no reliance on any external files. The Remote Control Interface can be access locally via the URL http://localhost:6161 or remotely via http://hostname:6161 where "hostname" is the DNS name or IP address of the target machine.

Remote Audit Monitoring
The Remote Control Interface can be turned off by editing the default /etc/security/snare.conf file. You can either edit the snare.conf file directly, commenting (using #) the allow=1 line under the [Remote] section, or by setting this value to 0. Save the file.
To ensure any changes to the snare.conf are applied, the agent must be restarted to active the new configuration. This restart process is shown as follows (execute as the root user): >ps -ef

grep auditd
It should return something like:
root 17608 17595 0 13:50:56 pts/1 0:00 grep auditd
root 17606 1 33 13:47:52 ? 2:48 /usr/sbin/auditd
To restart:
>svcadm restart system/auditd
To check that the processes have restarted ensure the processes have new Ids:
>ps -ef

grep auditd
root 17633 1 32 14:12:40 ? 3:14 /usr/sbin/auditd
root 17637 17595 0 14:16:23 pts/1 0:00 grep auditd

Note: For administrators, the system log files will be updated whenever settings are applied to the snare.conf, for example, /var/log/messages. This information may assist you when you require it. Any errors in the configuration file will also be logged.

Installing and running Snare0

Running Snare

Audit configuration